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METHOD AND SYSTEM FOR DETECTING FRAUD 

Field of the Invention 

The invention relates to detecting fraud in a networked system that facilitates a 
payment transaction between two parties. More specifically, the invention relates to a 
5 system and method for detecting fraud in which an Internet web site serves as a payment 

facilitator when a first party wishes to pay a second party for goods, services, etc. 

Background 

Traditionally, classified advertisements and other newspaper, specialty paper, and 
magazine advertisements and listings provide a way for a seller of goods or services to 

10 advertise in an attempt to obtain a buyer for the goods or services. However, when a 

transaction is agreed upon, the buyer and seller enter an awkward time, particularly when 
the transaction takes place across a great geographical distance. The persons and smaller 
businesses taking advantage of classified advertisements and similar listings do not 
typically accept payment by credit card or bank debit card. Checks and money orders are 

15 generally used. The buyer may send a check or money order by letter to the seller, and the 

seller may either simultaneously with the sending of the funds or upon receipt of the funds, 
send the goods to the buyer. The buyer and seller must trust one another. Each runs the 
risk of encountering a swindle and being the victim of fraud. The same applies when 
services are purchased over a great distance. In addition, there is a delay in the buyer 

20 receiving the goods or services when the seller waits for a check to be mailed and then clear 

before shipping the item or activating the service. 

On-line sale facilitating systems have given new life to person to person long 
distance sale of goods and services. Rather than selling via local magazines, specialty 
papers, and newspaper classifieds and listings, persons are using on-line sale facilitating 

25 systems to sell locally, nationally and internationally via the Internet. 

The Internet and personal computers have become ubiquitous in modem society. 
Although the Internet has existed in various forms for many years, the Internet became 
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popular as a mass communication vehicle with the introduction of the world wide web. 
The world wide web is, from the user's perspective, a way of easily identifying a remote 
computer, connecting to the remote computer, and viewing information stored on the 
remote computer. Remote computers that provide a vehicle for the sale of goods and 
services have become very popular. These systems are referred to herein as sale facilitating 

systems. EBAY® is an example of a sale facilitating system. However, even with this 

new technology, buyers and sellers must still trust one another as each still runs the risk of 
encountering a swindle and being the victim of fraud while funds and goods are exchanged 
by mail. 

While using the Internet, hidden from the user are the various communications 
protocols that make the Internet function. Various committees and ad hoc groups known as 
working groups coordinate and control the Internet. The Internet Engineering Task Force 
(IETF) is the protocol engineering and development arm of the Internet. Working groups 
under the IETF determine the rules and protocols for the underlying functionality of the 
Internet and publish them as requests for comment, commonly referred to as RFCs. Each 
working group makes its RFCs available via the Internet at various web sites. Information 
is communicated over the Internet via the transmission control protocol/Internet protocol 
(TCP/IP) and hypertext transfer protocol (HTTP). Many personal computers utilize the 
point to point protocol (PPP) to communicate with an internet service provider to obtain a 
link to the Internet. More information is available from T. Socolofsky and C. Kale, A 
TCP/IP Tutorial . RFC 1180, January 1991, http://www.ietf.org/rfc/rfcll80.txt; R. 
Fielding et al, Hypertext Transfer Protocol - HTTP/1. 1 . RFC 2616, June 1999 (Draft 
Standard), http://www.ietf.org/rfc/rfc26 16.txt\ and W. Simpson, Editor, The Point-to- 
Point Protocol . RFC 1661, http://www.ietf.org/rfc/rfcl661.txt. 

To make on-line and off-line purchases easier, payment facilitators that allow 
buyers to purchase from sellers via credit cards and debit cards eliminate the uneasiness of 
long distance purchases originating from traditional classified advertisements, on-line 

classified advertisement, on-line sale facilitating systems such as EBAY®, and others. To 
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make their service safe and secure, payment facilitators should check for potential 
fraudulent transactions when processing payment transactions. 

BRIEF SUMMARY OF THE INVENTION 

A system and method for detecting fraud when facilitating a payment transaction 
over a global wide area network. The method comprises receiving a sale information, 
receiving a payment information from a buyer, and analyzing a transaction information for 
fraud. If the analyzing indicates fraud, an enhanced transaction information is 
communicated to a human for fraud analysis. In one embodiment, the method comprises 
performing rule-based analyses to determine whether the transaction appears to be 
fraudulent. Rule-based analyses may include suspect data rules and velocity rules. 
Velocity rules generally determine whether there has been excessive activity that may lead to 
a conclusion that the transaction may be fraudulent. Suspect data rules are used to 
determine whether the billing, shipping, selling addresses, telephone numbers, and account 
numbers, and other data are in a syntactically correct format and whether they exist. In one 
embodiment, the method further comprises performing simple screening of the transaction 
information. In one embodiment, the method further comprises seeking approval from a 
third party such as a financial institution based on the payment information. The method 
may be implemented as part of a system that includes personal computers, server 
computers, and other personal computing devices, some of which may communicate over 
the Internet, and others which may communicate via dedicated communication lines. 
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BRIEF DESCRIPTION OF THE DRAWINGS 

Figure 1 depicts a networked environment in which the fraud detection method 
and system of the present invention may be implemented. 

Figure 2 depicts a software architecture and software components of one 
embodiment of the fraud detection method and system of the present invention. 

Figure 3 depicts a general flow of actions taken according to one embodiment of 
the fraud detection method and system of the present invention. 

Figure 4 depicts a more detailed flow of actions taken according to one 
embodiment of the fraud detection method and system of the present invention. 
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DETAILED DESCRIPTION 

Figure 1 depicts a networked environment in which the fraud detection method 
and system of the present invention may be implemented. In this embodiment, the method 
is implemented as software stored in and executed by a server computer such as payment 
facilitator computer 10. Payment facilitator computer 10 may be any server computer that 
can execute software programs and access a global communications network such as the 
Internet. In one embodiment, payment facilitator computer 10 comprises processor 12 and 
memory 14. Processor 12 may be any computer processor, and memory 14 may be any 
random access memory (RAM) or other readable and writeable memory device. 

The method and system for detecting fraud in a networked system that facilitates a 
payment transaction between two parties is referred to, for ease of reference, as fraud 
detection software and the fraud detection system. Processor 12 executes the fraud 
detection software utilizing memory 14. Information, including the fraud detection 
software, is read from and written to disk drive 16 which is coupled to the payment 
facilitator computer via disk controller 18. Disk drive 16 may be a hard disk drive, a 
readable and writeable compact disk (CDRW) drive, a floppy disk drive, etc. In addition, 
disk drive 16 may be any device by which a machine may read from a machine readable 
medium such as the devices already mentioned, as well as, but not limited to, a stick or card 
memory device, a digital audio tape (DAT) reader, etc. The processor may communicate 
instructions to display controller 20 to display images on display device 22. Display 
controller 20 may be any display controller, and display device 22 may be any display 
monitor, including, but not limited to, a CRT display monitor, or TFT display screen. A 
system administrator or other similar person accesses payment facilitator computer 10 via 
any computer input device, such as, for example, keyboard 24 and mouse 26 which are 
coupled to the processor by I/O controller 28. 

Payment facilitator computer 10 also includes network interface 30. In this 
embodiment, the payment facilitator computer 10 communicates with a wide area network, 
or, in one embodiment, the Internet 34. Network interface 30 may be an analog modem, a 
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digital modem, a cable modem, an Ethernet card, or any other kind of network access 
device that allows for connection to the Internet 34 via an analog telephone line, digital 
subscriber line (DSL), cable television line, Tl line, or any other line capable of 
communicating information over a network. Processor 12, memory 14, disk controller 18, 
display controller 20, I/O controller 28, and network interface 30, are coupled to one 
another via and communicate with one another over bus 32. Bus 32 may be any bus that 
provides for communication of and between components within a computer. Although 
only one bus is depicted, multiple buses may be used in personal computer 10. In addition, 
other components and controllers (not depicted) or multiple instances of depicted 
components and controllers may be included in payment facilitator computer 10. In one 
embodiment, payment facilitator computer 10 communicates over the Internet via network 
interface 30 and receives information from and communicates information to devices 
connected to the Internet such as seller computer 35 and buyer computer 36. 

Although only one payment facilitator computer 10 is depicted, a payment facilitator 
system may be comprised of multiple computers in the form of a local area network (LAN), 
grouping, subnetwork, etc. (not shown). This payment facilitator system grouping, LAN, 
subnetwork, etc. may be connected to the Internet or other global communications network, 
in one embodiment, via one or more firewalls or other security devices and systems so that 
the payment facilitator computer is separated from the Internet for security purposes. The 
payment facilitator computer or system may be comprised of graphics servers, application 
servers and other specialized, dedicated servers (not shown). 

In one embodiment, seller computer 35 may be any kind of personal computing 
device that can execute programs and access a global communications network such as the 
Internet, including, but not limited to, cellular telephones, personal digital assistants, 
desktop personal computers, portable computers, computer workstations, etc. In one 
embodiment, seller computer 35 comprises processor 44, which may be any computer 
processor, and memory 46, which may be any random access memory (RAM) or other 
readable and writeable memory device. Software programs, including a web browser and 



00380 1.P034 



6 



Express Mail No. EM560647507US 



Internet communication and connection software, and other information are stored on disk 
drive 48 which is coupled to seller computer via disk controller 50. Disk drive 48 may be a 
hard disk drive, a readable and writeable compact disk (CDRW) drive, a floppy disk drive, 
etc. and may also be any other kind of storage device, such as, but not limited to, a stick or 
card memory device, a digital audio tape (DAT) reader, etc. The processor may 
communicate instructions to display controller 52 to display images on display device 54. 
Display controller 52 may be any display controller, and display device 54 may be any 
display monitor, including, but not limited to, a CRT display monitor, or TFT display 
screen. A user accesses seller computer 35 via any computer input device, such as, for 
example, keyboard 56 and mouse 58 which are coupled to the processor by I/O controller 
60. 

Seller computer 35 also includes network interface 62. In one embodiment, the 
seller computer communicates over the Internet 34 to access payment facilitator computer 
10. Network interface 64 may be an analog modem, a digital modem, a cable modem, or 
any other kind of network access device that allows for connection to the Internet, or other 
global communications network. Processor 44, memory 46, disk controller 50, display 
controller 52, I/O controller 60, and network interface 62, are coupled to one another via 
and communicate with one another over bus 64. In addition, other components and 
controllers (not depicted) or multiple instances of depicted components and controllers may 
be included in seller computer 35. 

Buyer computer 36 may be any personal computing device such as that described 
with regard to seller computer 35. Similarly, fraud investigator computer 38 may be any 
personal computing device such as that described with regard to seller computer 35. In 
addition, financial institution computer 40 may be any computer such as that described with 
regard to payment facilitator computer 10. Although referred to herein as financial 
institution computer 40, the financial institution may be a traditional financial institution 
such as a bank, savings and loan, or credit union, and may also be a clearinghouse for 
credit card transactions, electronic check transactions, debit card transactions, etc. 
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In one embodiment, payment facilitator computer 10 communicates over the Internet 
via network interface 30 and receives information from and communicates information to 
other computers and personal computing devices connected to the Internet such as seller 
computer 35 and buyer computer 36. Although only one each of buyer computer 36 and 
5 seller computer 35 are depicted, multiple buyers and sellers with personal computing 

devices may utilize the services provided by the fraud detection software executing on 
payment facilitator computer 10 by communicating over the Internet. Communications by 
buyer and seller personal computing devices via the Internet may be accomplished by land 
line, wireless or other methods of communication. 

10 In one embodiment, fraud investigator computer 38 and financial institution 

computer 40 do not connect with payment facilitator computer 10 via the Internet. Rather, 
in one embodiment, a dedicated line such a DSL line, Tl line, etc. connect financial 
institution computer 40 with payment facilitator computer 10. In another embodiment, a 
secure wireless connection may be used between financial institution computer 40 with 

15 payment facilitator computer 10. In one embodiment, fraud investigator computer 38 is 

connected to payment facilitator computer outside of the Internet or other global 
communications network in a private LAN. In another embodiment, there may be multiple 
instances of fraud investigator computers and financial institution computers, although only 
one of each is depicted. Fraud investigators may communicate by email with buyers and 

20 sellers. In one embodiment, all email communication involving the fraud investigator 

computers is routed through the payment facilitator computer, payment facilitator system, 
and/or, in other embodiments, is routed through the payment facilitator grouping, firewalls, 
LAN, etc. 

Figure 2 depicts a software architecture and software components of one 
25 embodiment of the fraud detection method and system of the present invention. Payment 

facilitator computer 200 includes payment processing software 202. In one embodiment, 
fraud detection software 204 is implemented as a component of payment processing 
software 202. Authorization software 206 is also implemented, in one embodiment, as 
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part of payment processing software 202. In another embodiment, authorization software 
206 may be implemented as part of fraud detection software 204. Payment facilitator 
computer 200 includes email software 208 that allows payment processing software 202 to 
send and receive email messages. 
5 Operating system, communications software and Internet software, collectively 

212, provide file system support, Internet connectivity support, computer communications 
support, and other typical operating systems features. The operating system, 
communications software and the Internet software 212 may be combined as one entity as 
depicted, or may exist separate from one another. In one embodiment, payment processing 

10 software 202 accesses the Internet and communicates with buyer computers such as buyer 

computer 250 and seller computers such as seller computer 260 with the Internet software. 
In this embodiment, payment processing software 202 accesses the local file system and 
local system resources via the operating system, and accesses fraud investigator computer 
220 and financial institution computer 230 via the communications software. In one 

15 embodiment, the communications software provides support for communications over any 

dedicated computer communication line. 

Fraud investigator computer 220 includes web browser 222, email software 224, 
and operating system and communications software 226. The operating system and 
communications software may be combined as one entity as depicted, or may exist 

20 separately. Upon determining that a payment transaction may involve fraud, in one 

embodiment, fraud detection software 204 sends an email message via email software 208 
and communications software to a human fraud investigator at fraud investigator computer 
224 over a dedicated communications connection such as an Ethernet cable, Tl line, or 
wirelessly. The fraud investigator retrieves the email message using email software 224. 

25 In another embodiment, the fraud investigator computer is capable of communication over 

the Internet such that the fraud notification email message may be sent to the fraud 
investigator via the Internet. In yet another embodiment, payment facilitator computer 200 
and fraud investigator computer 220 may include instant messaging software (not shown) 
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so that an instant message is sent by the fraud detection software upon determining that a 
payment transaction may include fraud. In another embodiment, multiple fraud 
investigators may communicate with the payment facilitator computer over a LAN or other 
private network. In this embodiment, email messages or instant messages may be sent via 
5 the LAN. In addition, fraud investigators may communicate via email messages with 

buyers and sellers. In one embodiment, the fraud investigator's email messages are sent 
over the Internet through payment facilitator computer 200. In other embodiments, email 
from the fraud investigators is routed through the payment facilitator LAN, grouping, etc. 
In one embodiment, financial institution computer 230 includes authorization 

10 software 232 and operating system and communication software, combined as 234. In this 

embodiment, authorization software 206 of payment processing software 202 may seek 
authorization of a payment transaction by communicating over a direct connection to 
financial institution computer 230. Financial institution computer 230 may be a 
clearinghouse for credit card and/or debit card transactions or serve only one financial 

15 institution. Companies that provides authorization services are, for example, Paymentech of 

Dallas, Texas and First Data Merchant Services (FDMS) of Englewood, Colorado. Upon 
receiving a request for authorization of a payment transaction via operating system and 
communications software 234, authorization software 232 processes the request and 
returns a response. Although only one financial institution computer is depicted, in another 

20 embodiment, the payment facilitator computer or payment facilitator system may 

communicate with multiple financial institution computers. In one embodiment, the 
payment facilitator computer communicates with financial institution computer(s) over a 
direct line rather than over the Internet for security and surety of connectivity. In another 
embodiment, the payment facilitator computer may communicate with financial institution 

25 computers via the Internet. In yet another embodiment, the payment facilitator computer 

may communicate with the financial institution computer(s) via a secure wireless 
connection. 
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In one embodiment, fraud detection software 204 accesses information about the 
transaction history of buyers and sellers, reviews blacklists and stores and obtains other 
pertinent data by communicating with database software 210 and accessing one or more 
databases stored on payment facilitator computer 200. Database software 210 may provide 
5 support for any well known database system that implements, in one embodiment, 

structured query language (SQL), or any other well known database languages. In another 
embodiment, fraud detection software 204 communicates with database software 210 
which accesses database server 240 via Java Database Connectivity (JDBC) and/or the 
Open Database Connectivity (ODBC) application programming interfaces to access database 

10 software 242 to store and obtain pertinent information. Database server 240 includes 

operating system and communications software 246. Database software 242 may provide 
support for any well known database system that implements, in one embodiment, SQL, or 
any other well known database languages. In another embodiment, fraud detection 
software 204 may check for fraud by issuing queries regarding information provided by the 

15 buyers and sellers, checking blacklists of various information included with the transaction 

data, checking with external credit bureaus, etc. by communicating with one or more third 
party database servers, one or more third party blacklist servers, one or more external credit 
bureaus, etc. In one embodiment, financial institution computer 230 may also serve as a 
third party database server, third party blacklist server, external credit bureau, etc. 

20 Buyer computer 250 and seller computer 260 may each communicate with payment 

facilitator computer 200 over the Internet 216, or other wide area network. Users of the 
payment facilitator system represented by payment processing software 202 on payment 
facilitator computer 200 communicate with payment facilitator computer 200 via web 
browsers 252 and 262 on buyer computer 250 and seller computer 260. Web browsers 

25 252 and 262 access the Internet 216 and access local file system and local system resources 

via operating system and Internet software 256 and 266. The Internet software provides 
support for TCP/IP, PPP and other network communications protocols. The web 
browsers support communication via HTTP and other application level protocols. An 
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example of a web browser is Netscape Navigator available from Netscape Communications 
of Mountain View, California. 

Figure 3 depicts a general flow of actions taken according to one embodiment of 
the fraud detection method and system of the present invention. After a buyer and seller 
5 agree to participate in a sale of goods or services, as shown in block 300, the seller 

provides sale information to the payment facilitator system, as shown in block 302. In one 
embodiment, the seller provides at least a sale price for the good(s), a description of the 
goods, the email address of the buyer, and an identifier of the buyer such as a name, and 
may also provide a detailed description of the good(s), information about the buyer such as 

10 the buyer's name, email address, billing address, shipping address, etc. In one 

embodiment, the sale information may also include seller information such as the bank 
account, credit card account, or other account which will be credited upon completion of the 
sale. In another embodiment, the seller may provide seller information prior to providing 
the sale information, such as when creating a seller's account with the payment facilitator 

15 system. In one embodiment, the seller's internet protocol (IP) address is saved and stored 

with the seller information and/or with the transaction information. The IP address may be 
gleaned from examination of incoming packets of data from the seller when the seller is 
communicating with the payment facilitator system. 

In one embodiment, the sale information and the seller information are provided by 

20 the seller by communicating to the payment facilitator system via a web site interface 

provided to the seller by the payment facilitator system. In one embodiment, the payment 
facilitator system provides for the communication of programs and data that result in the 
display of images and information on a seller's display screen. For example, the payment 
facilitator system may package JAVA® applets and hyper-text markup language (HTML) 

25 code that is communicated via HTTP over TCP/IP with the user. The user interface 

provided by the payment facilitator system may include well known user interface items 
such as icons, text data entry fields, menus, buttons, sliders, and the like. In one 
embodiment, dates, credit card issuers, banks, etc. may be provided as items in menus 
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accessible via any well known method. In this way, the amount of text required to be 
entered by a user is minimized, and the ease of use of the system is enhanced. In one 
embodiment, the communications between the seller computer and the payment facilitator 
computer are made secure by use of encryption and security techniques such as secure 
HTTP, secured sockets layer (SSL) encryption, and/or the transport layer security (TLS) 
protocol. More information on SSL is available from Netscape Communications of 
Mountain View, California and additional information concerning TLS is available in E. 
Rescorla, HTTP Over TLS , RFC 2818, http://www.ietf.org/rfc/rfc2818Jxt, May 2000. 

In one embodiment, the negotiations and agreement to sell may have occurred on a 

computer system via a sale facilitating system such as EBAY®. In this embodiment, the 

sale information may be provided via a direct communications link to the sale facilitating 
system. In another embodiment, the sale negotiations and agreement between the buyer 
and seller may have occurred by mailed correspondence or by telephone, and may have 
been initiated by viewing an offering of goods or services for sale by a classified 
advertisement on-line, classified advertisement or listing in a newspaper, specialty paper, or 
magazine, or by any other method that connects buyers with sellers. In this embodiment, 
the buyer and seller agree to use the payment facilitator system, and the seller then begins 
the payment transaction process by connecting to the payment facilitator web site. 

After receiving the sale information, the payment facilitator system prepares an 
invoice and emails the invoice to the buyer, as shown in blocks 304 and 306. In one 
embodiment, the invoice includes at least a description of the goods or services the buyer 
agreed to purchase and the sale price, and may include further information such as the 
seller's contact information, namely the seller's email address, mailing address, telephone 
number, etc. In another embodiment, the payment facilitator may prepare an invoice, and 
email a notification to the buyer that an invoice is ready for retrieval at a specified location 
within the payment facilitator web site such as at a specified uniform resource locator 
(URL) or uniform resource identifier (URI). In response to receiving or viewing the 
invoice, the buyer then communicates with the payment facilitator web site, and the buyer 
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provides payment information to the payment facilitator system, as shown in block 308. 
In one embodiment, the payment information includes a billing address information, a 
shipping address information, and a financial account information. The financial account 
information must include one of a credit card account number, a debit card account number, 
5 a bank account number, etc. and may include related information such as an expiration date, 

an issuing institution name and address, etc. The billing and shipping address information 
may include the name of a person, street address, city, state, zip code, and day and night 
telephone numbers. The payment information may also include the buyer's email address, 
screen name, account name, or other identifier and identifying information. In one 

10 embodiment, the buyer's IP address is saved and stored with the payment information 

and/or with the transaction information. The IP address may be gleaned from examination 
of incoming packets of data from the buyer when the buyer is communicating with the 
payment facilitator system. 

Upon receipt of the transaction information, the payment facilitator system analyzes 

15 the transaction information for fraud, as shown in block 310. How this is achieved is 

discussed in more detail below with regard to Figure 4. A check is then made to 
determine whether the transaction appears to be fraudulent, as shown in block 312. If the 
transaction does not appear to be fraudulent, the payment facilitator system debits the 
buyer's account and sends an email message instructing the seller to complete the sale, as 

20 shown in block 314. In response to such an email message, the seller then sends the 

good(s) to the buyer in an agreed-upon manner. In one embodiment, the payment 
facilitator system then credits the seller's financial account upon receipt of an email note 
from the buyer confirming completion of the sale or after a specified period of time, as 
shown in block 316. In this embodiment, the seller's account is credited when the buyer 

25 confirms that the good(s) have been received. Alternatively, in this embodiment, if the 

buyer fails to confirm receipt of the good(s) and does not inform the payment facilitator 
system that the good(s) were not received, the seller's account is credited for the sale. In 
another embodiment, the payment facilitator system may send an email message to the 
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buyer asking the buyer to confirm receipt of the goods. This message could also state that 
if no response to the email message is received, the buyer's account will be debited and/or 
the seller's account will be credited if no response is receive within a specified period of 
time. 

5 If the transaction appears to be fraudulent, as shown in block 312, the payment 

facilitator system sends appropriate email messages to the buyer and/or the seller, putting 
the sale on hold, as shown in block 318. The payment facilitator system then 
communicates information about the payment transaction and fraud information to a human 
investigator, as shown in block 320. The human investigator then investigates the 

10 transaction, starting with the fraud information provided as a result of the earlier fraud 

analysis, to determine whether the transaction is fraudulent or appears to have a high 
possibility of being fraudulent. The fraud investigator then takes whatever action the fraud 
investigator deems appropriate, such as communicating with the buyer and/or the seller by 
email or telephone, contacting local police authorities, contacting the FBI, etc. The fraud 

15 investigator may cancel or allow the sale based on the results of the investigation. If the 

investigator allows the transaction, actions according to blocks 314 and 316 discussed 
above are then executed. 

In one embodiment, after the buyer and seller agree on a sale, the sale information 
may be communicated to the payment facilitator system by the buyer. In this embodiment, 

20 the seller may have already registered with the system, and the buyer provides pertinent sale 

information to the payment facilitator system. This sale information may include the 
payment information regarding the buyer as discussed above regarding block 308, as well 
as specific information identifying the sale transaction such as a description of the goods or 
services the buyer agreed to purchase and the sale price, and may include further 

25 information such as the seller's contact information, namely the seller's email address, 

mailing address, telephone number, etc. The payment facilitator system then sends an 
email sale confirmation request to the seller. In various embodiments, the seller may 
respond to the email to accept the sale transaction, or the seller may accept the sale 
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transaction by communicating with the payment facilitator system via an internet web 
interface either independently or by following a URI or URL contained in the email sale 
confirmation request. In another embodiment, no email sale confirmation request, and the 
payment facilitator system provides a screen notification to the seller the next time the seller 
5 logs on to the sale facilitator system. The screen notification may be a text display or an 

iconic display, or any other user interface technique. The flow of actions then continues 
with block 3 10 as discussed above. 

Figure 4 depicts a more detailed flow of actions taken according to one 
embodiment of the fraud detection method and system of the present invention. Fraud 

10 detection software receives transaction information from the payment facilitator system, as 

shown in block 400. The transaction information may include information about the seller 
such as the seller's contact information, namely email address, user name, mailing address, 
as well as the seller's specified financial account. That is, the financial account to which the 
sale will eventually be credited when the sale is complete. The transaction information also 

15 includes information about the buyer such as the buyer's billing and shipping address 

information, the buyer's telephone number(s), the buyer's email address, the buyer's user 
name, the financial account the buyer has selected to use to pay for the transaction. In 
addition, the transaction information also includes the price of the good(s) and a description 
of the good(s). After the fraud detection software receives the transaction information, the 

20 fraud detection software performs simple screening, as shown in block 402. Simple 

screening is the process by which the fraud detection software compares various data 
contained in the transaction information with lists of financial account numbers, addresses, 
email addresses, user names, telephone numbers, etc. known to have been used with 
fraudulent transactions and/or obtained from a third party such as a credit card issuer, bank, 

25 or specialized service provider. In another embodiment, the lists or blacklists may be 

obtained on demand or regularly from a third party such as a bank, credit card issuer, other 
financial institution or specialized service providers. Such lists include known stolen credit 
cards and addresses known to have been involved with fraudulent transactions either with 
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any of the payment facilitator system, the sale facilitating system, and any of the many 
credit card issuers, banks, other financial institutions, specialized service providers, etc. In 
one embodiment, the simple screening compares the fields for which lists exist with the 
appropriate list. In this embodiment, if any transaction information is found on any 
screening list, the transaction is blacklisted. 

The fraud detection software then checks whether the transaction is blacklisted, as 
shown in block 404. If the transaction is not blacklisted, the fraud detection software seeks 
approval from the financial institution implicated by the financial account specified by the 
buyer, as shown in block 406. In one embodiment, this involves communicating with a 
financial institution such as a credit card issuer, bank, etc. computer via a dedicated line to 
obtain approval for the transaction. The fraud detection software then receives a response 
from the financial institution and checks to determine whether the transaction is approved, 
as shown in block 408. In practice, the financial institution or third party that provides 
financial account approval returns one of a plurality of codes. In one embodiment, the 
fraud detection software determines whether the code returned should be classified as an 
approval or rejection. In another embodiment, the fraud detection software may classify the 
code as a requiring further information and automatically issue email messages to the buyer 
or seller requesting information clarifying the response from the financial institution. In 
this embodiment, one example may be for the fraud detection software to automatically 
send an email message requesting that the buyer confirm the billing address, the buyer's 
name, or other portion of the transaction information to which the fraud detection software 
is directed by the error code. Such a recovery system eliminates false positives when a 
simple typo was made by the user. In one embodiment, if the transaction is blacklisted or if 
the transaction has not been approved, the fraud detection software rejects the transaction, 
as shown in block 410. In one embodiment, when a transaction is rejected, appropriate 
email messages are sent to the buyer and the seller informing them that the payment 
transaction has been rejected. 
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If the financial institution approves the transaction, the fraud detection software 
performs rule-based analysis, assigning a score for the transaction based on rule violation, 
as shown in block 420. The list of possible rules is endless. Generally, certain 
information gleaned from the transaction information is compared with other information. 
This other information may be generally available address look-up information to determine 
whether the seller's address and the shipping and mailing addresses of the buyer exist, or 
may be more complex database queries and retrievals of information obtained from the 
history of transactions that have been processed by the payment facilitator system. In 
another embodiment, the historical information may also be obtained from a database 
maintained by a sale facilitating system in addition to or in place of historical information 
obtained from the payment facilitator system. 

Analyses for whether the addresses and other information contained within the 
transaction information are syntactically correct or whether the addresses or other 
identifying information exists may be referred to as suspect data rules. Example suspect 
data rules include the following: 

a. is the shipping address a real address? 

b. is the shipping address used with multiple different buyers? 

c. is the billing address a real addresses? 

d. is the billing address used with multiple different buyers? 

e. is the shipping address implicated in prior possible fraudulent 
transactions? 

f . does the buyer and/or seller financial account meet the format 
requirements of the type of account it represents? 

g . are the buyer and seller phone numbers real phone numbers? 

h. are the seller and shipping addresses the same? 

Analyses which require more complex analysis of databases of the payment 
facilitator system and/or a sale facilitating system may be referred to as velocity rules. 
Generally, velocity rules check to see if there has been an inordinate amount of activity 
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involving some piece of the transaction information. That is, the rules cause the fraud 
detection software to determine whether there has been excessive activity that may lead to a 
conclusion that the transaction may be fraudulent. In one embodiment, velocity rules may 
involve analysis of transaction volume over a given period of time for the buyer and/or 
5 seller, transaction dollar value totals for the buyer and/or seller for a given period of time, 

etc. In another embodiment, velocity checks may also include analysis of how frequently 
the specified financial account number or buyer has been declined authorization. In 
general, determining that there has been excessive activity with one seller may evidence that 
an innocent seller may be the target of a fraudulent buyer or group of buyers. On the other 
10 hand, excessive seller activity may also evidence that the seller is involved in committing a 

fraud. Although evidence of fraud may exist, it may be difficult to classify whether the 
fraud was committed by the buyer or by the seller. Therefore, if evidence of fraud appears 
to be present in a transaction, the transaction is sent to and examined by a fraud investigator 
so that false positives are minimized. 
15 A more specific example of a velocity rule is determining whether the seller's 

account has been used beyond some determined threshold during some set period of time. 
Another example is determining whether the buyer's credit card has been used for a number 
of transactions exceeding a predetermined acceptable number of daily (or hourly or weekly, 
etc.) transactions. Further examples of velocity rules follow: 
20 a. does the dollar value of transactions from a single seller exceed 

$1,000 per financial account per $10,000 worth of transactions on 
the payment facilitator system? 
b . has the buyer's financial account been used with the seller more than 
3 times in the past hour? 

25 c . has the buyer' s financial account been used with the seller more than 

3 times during the last 1000 transactions on the payment facilitator 
system? 

d. has the buyer spent more then $1,000 in 12 hours? 
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e. has the buyer's financial account been involved with transactions 
exceeding $1,000 in 12 hours? 

f . has the buyer's financial account been involved with more than 
$10,000 in one month? 

5 g . have the buyer and seller been involved with more than $ 1 ,000 of 

transactions with one another in 12 hours? 

h. has the buyer's financial account been used with the seller more than 
3 times in the past 100 transactions with the seller? 

i. has the shipping address been specified more than 3 times in 12 
10 hours? 

j . has the shipping address been specified more than 3 times in the last 

100 transactions involving the seller? 
k. has the seller's or buyer's IP address been involved with more than 

3 transactions in the past 100 transactions on the payment facilitator 
15 system? 

1. has the buyer's IP address been involved with more than $1,000 

transactions in the past 12 hours of transactions on the payment 

facilitator system? 

This list includes just a few of many possible rules. In one embodiment, the dollar 
20 amounts and numbers may remain constant and may only be changed by a system operator. 

In one embodiment, the amounts and thresholds may be automatically adjusted based on the 
kind of goods sold, the kind of seller, and other variables. The dollar amounts and 
thresholds listed above are examples and may be any dollar amounts or thresholds that 
serve as accurate indicators of a possible fraudulent transaction. 
25 In another embodiment, the rule-based analysis may check for fraud by issuing 

queries regarding information provided by the buyers and sellers, checking blacklists of 
various information included with the transaction data, checking with external credit 
bureaus, etc. by communicating with one or more third party database servers, one or more 
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third party blacklist servers, one or more external credit bureaus, etc. in addition to 
checking the database of the payment facilitator system and the sale facilitating system. In 
one embodiment, the same financial institution that was consulted to approve the transaction 
may also serve as a third party database server, third party blacklist server, external credit 
5 bureau, etc. with which the rule-based analysis interacts to execute and evaluate rules. 

A numerical value is associated with each rule. Each time a rule is found to be 
violated, the score for the transaction is incremented by the amount associated with the rule. 
The fraud detection software sets a threshold such that after the rule analyses have been 
completed, when a score exceeds the threshold, the transaction is considered potentially 

10 fraudulent. The numerical values may be weighted according to the particular rule and need 

not be uniform. In some embodiments, a transaction that violates one velocity rule may 
cause the threshold to be exceeded, while violating one suspect data rule may not cause the 
threshold to be exceeded. After the rule analysis is performed, the fraud detection software 
checks to determine whether the score total exceeds the threshold, as shown in block 422. 

15 If the threshold is exceeded, the fraud detection software routes the transaction information 

and rule violation information to a human investigator, as shown in block 430. In one 
embodiment, the routing is achieved via email. In one embodiment, the rule violation 
information may be a code designating which rules were violated, a textual description of 
the rules violated, or both. The code may be any combination of letters, numbers or 

20 symbols that uniquely identifies the rule violated. If the score total does not exceed the 

threshold, as shown in block 422, the fraud detection software accepts the transaction. 
With regard to block 312 of Figure 3, a transaction is considered fraudulent when the 
score total exceeds the defined threshold as in Block 422 of Figure 4. 
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4 

In the foregoing specification, the invention has been described with reference to 
specific embodiments. It will, however, be evident that various modifications and changes 
can be made thereto without departing from the broader spirit and scope of the invention as 
set forth in the appended claims. The specification and drawings are, accordingly, to be 
5 regarded in an illustrative rather than a restrictive sense. 
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